Hi,
Is it possible to monitor Azure Application SAML Certificates expiry?
Also is it possible to monitor Azure application certificates and/or client secrets expiry?
same question here… does anybody have information about this?
I setup the Azure-integration itself, but it just reports user and AADsync state, nothing about App secrets.
I found a temporary solution for me. Not very pretty, but it works - maybe also interesting for somebody else.
I created a local check on one of my windows servers, and build a powershell script that connects to Azure AD and checks secret lease time.
The authentication is a little bit tricky part, as I didn’t want to store the certificate directly inside my script, I splitted in 2 files
Script 1 is pushed via Agent Bakery executing all the logics of the local check.
Script 2 only contains the connect-AzureAD part, is stored manually on my windows hosts under c:\private\AzureAdLogin.ps1 and is executed from Script 1
Script 1:
#### get all AzureApps with KeyCredntials or PasswordCrentials and output their token expiration dates.
#### one AzureApp = one CheckMK Service
#### service state is always calculated based on the first expring token per App.
#### WarningDays and CriticalDays define the timespan to expiration date until the service is going to warning or critical
. C:\private\AzureAdLogin.ps1 | Out-Null
###
$WarningDays=30
$CriticalDays=10
$output=@()
$allapps=(Get-AzureADApplication)
foreach ($app in $AllApps)
{
## get KeyCredential or Password Credential with their EndDate
$Auths=@()
$auths+=$app | Get-AzureADApplicationKeyCredential
$auths+=$app | Get-AzureADApplicationPasswordCredential
## only proceed if app has token that expires
if (($auths | measure).Count -eq 0) {continue}
## calculate service state
$FirstExpringAuth=$auths | sort enddate | select -first 1
if ($FirstExpringAuth.Enddate -lt (get-date).adddays($CriticalDays)) {$state=2}
elseif ($FirstExpringAuth.Enddate -lt (get-date).adddays($WarningDays)) {$state=1}
else {$state=0}
## generate Output Line
$KeyExpirationDates=($Auths | sort enddate| foreach {$key=$_.keyid.substring(1,8) + '[..]:' + $_.enddate.tostring("yyyy-MM-dd HH:mm"); $key}) -join [char]9
$output+=$state.tostring() + ' "AzureApp: '+$App.Displayname+'" - Keys Expire Date:' +[char]9 + $KeyExpirationDates
}
$output
Script 2:
##################### Usage #############################
#'Setup:
#Step 1: manually login with connect-azuread
#Step 2: uncoment section 1 and run script to create a Azure-AD App and grant neccessary permissions and configure a certificate for usage
#Step 3: put tenantID, AppID and Cert to the lines in Section 2
#Step 4: comment out section 1 and only leave section 2 uncommented
#Step 5: save file
############################## Section 1 ###################################
###generate AzureAD Login
#####
#####
#$hostname=(get-wmiobject win32_computersystem).dnshostname + "." + (get-wmiobject win32_computersystem).domain
#$CertTempPath="c:\temp\examplecert.pfx"
### manually login with
### connect-azuread (with user prompt) first, to generate Login Information
#function Get-RandomPassword {
# param (
# [Parameter(Mandatory)]
# [int] $length,
# [int] $amountOfNonAlphanumeric = 1
# )
# Add-Type -AssemblyName 'System.Web'
# return [System.Web.Security.Membership]::GeneratePassword($length, $amountOfNonAlphanumeric)
#}
# Create the self signed cert
#$currentDate = Get-Date
#$endDate = $currentDate.AddYears(1)
#$notAfter = $endDate.AddYears(1)
#$pwd = Get-RandomPassword 20
#$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName $hostname -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
#$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
#Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $CertTempPath -Password $pwd
# Load the certificate
#$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($CertTempPath, $pwd)
#$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
## load CheckMK Application and import certificate
#$App=New-AzureADApplication -DisplayName "CheckMK-Script" -IdentifierUris $hostname
#new-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -CustomKeyIdentifier "CheckMKScriptChecks" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
#$sp=New-AzureADServicePrincipal -appid $app.AppId
## delete Certificate File
#remove-item $CertTempPath -Confirm:$false
#$roleid=(get-azureaddirectoryrole | ? displayname -like "*Directory Read*").objectid
#Add-AzureADDirectoryRoleMember -ObjectId $roleid -RefObjectId $sp.objectid
#$tenant=(Get-AzureADTenantDetail)
#$TenantId=$tenant.ObjectId
#$AppId=$sp.appid
#$Cert=$thumb
#write $tenantId
#write $AppId
#write $Cert
############################## Section 2 ###################################
### for usage
### fill in with data from above
$tenantId="123123123123123"
$AppId="123123123123123123"
$cert="1231231231231231231"
Connect-AzureAD -TenantId $tenantId -ApplicationId $AppId -CertificateThumbprint $cert
Microsoft Azure App Registration Secret (checkmk.com)
How do you set this up? Should checkmk pull apps in automatically? We have piggyback configured which is showing resource group information.